|
r&d is different than engineering? you're arguing against that now? gently caress's sake, a professor doesn't have to worry about a whole host of poo poo that someone developing a product does. whens the last time you saw marketing material on an algorithm
|
# ? Oct 6, 2015 17:34 |
|
|
# ? Jun 7, 2024 18:28 |
|
"chemical engineer? uh, why can't the doctor running clinical trials scale it to production?"
|
# ? Oct 6, 2015 17:36 |
|
JawnV6 posted:whens the last time you saw marketing material on an algorithm http://www.piedpiper.com
|
# ? Oct 6, 2015 17:36 |
|
JawnV6 posted:er, idk what you're on about here, but a cave-bound hermit professor ekeing out new algorithms doesn't have to worry about requirements gathering, extensibility, working with a team either local or distributed, etc. working in software development tends to require a lot of different skills; that comment was mostly a reply to the post you'd quoted about academics being the only ones qualified to make new things, everyone else can just reimplement someone else's design. I think that thinking creatively and being flexible is important to working with groups and solving problems in business as well though. Software development does seem to have a lot of issues with intellectual property that helps ensure the same issues keep coming up, I don't know how that compares to other industries. I'm hopeful that eventually we'll have automated tools that more or less just work for things like security and check for simple off-by-one errors and such. And we'll get rid of php completely
|
# ? Oct 6, 2015 17:37 |
|
programming would be like construction if engineers didn't have to worry about the laws of physics.
|
# ? Oct 6, 2015 17:39 |
|
Shaggar posted:programming would be like construction if engineers
|
# ? Oct 6, 2015 17:44 |
|
Shaggar posted:Its not a "programming is art" thing its a "php litterrallly is designed for insecurity and instability but people still use it everywhere and you cant stop them" thing okay but is there ever like, a case where storing plaintext passwords in a database is not the worst loving thing to do? i don't care if you're using goddamn brainfuck to code with, there are definitely some common "ugh no" rules we can set down.
|
# ? Oct 6, 2015 17:46 |
|
right you start with a new universe and you drag in pieces from older universes and hope the work the way you expect in the new universe.
|
# ? Oct 6, 2015 17:47 |
|
i'm not saying we need to make sure everyone uses the same loving indentation scheme and the same design paradigms for everything but programming is not so loving esoteric that there isn't enough commonality between languages to lay down basic ground rules about not loving poo poo up.
|
# ? Oct 6, 2015 17:49 |
|
Parallel Paraplegic posted:okay but is there ever like, a case where storing plaintext passwords in a database is not the worst loving thing to do? i don't care if you're using goddamn brainfuck to code with, there are definitely some common "ugh no" rules we can set down. this is still going to happen post-certification, guaranteed
|
# ? Oct 6, 2015 17:49 |
|
and i don't think you need to spend a billion dollars setting up a worthless certification regime in order to make a negligence case in court
|
# ? Oct 6, 2015 17:50 |
|
Farmer Crack-rear end posted:this is still going to happen post-certification, guaranteed of course, there will always be professional incompetence of some kind, this at least minimizes it and sets up a framework to hold people who do it accountable.
|
# ? Oct 6, 2015 17:50 |
|
Farmer Crack-rear end posted:and i don't think you need to spend a billion dollars setting up a worthless certification regime in order to make a negligence case in court and now we're back to this thing that has worked in other industries for literally decades? yeah we don't need to do that here, it's pointless
|
# ? Oct 6, 2015 17:51 |
|
i'm not even a programmer, i just have absolutely zero reason to believe that whatever certification you have in mind is going to be anything more than a worthless rubber stamp on a resume i mean i guess the upside is this will create a lot of new jobs for all the paperwork and record keeping that will be involved
|
# ? Oct 6, 2015 17:52 |
|
can't wait for the yospos thread on "programmers' guild certification database hacked because of shoddy programming"
|
# ? Oct 6, 2015 17:52 |
|
Farmer Crack-rear end posted:i'm not even a architect/engineer/lawyer/tradesman, i just have absolutely zero reason to believe that whatever certification you have in mind is going to be anything more than a worthless rubber stamp on a resume
|
# ? Oct 6, 2015 17:53 |
|
the closest analogous activity to programming that i can think of would be jerking off it's alienating to women, highly overvalued and produces nothing of value
|
# ? Oct 6, 2015 17:54 |
|
Farmer Crack-rear end posted:i'm not even a programmer, i just have absolutely zero reason to believe that whatever certification you have in mind is going to be anything more than a worthless rubber stamp on a resume if they actually set up standards that made people clearly liable for stupid things it would help. Here's what you have to do for compliance against cross site scripting, here's what you have to do when you secure a database. It's not going to solve the problem but it would clearly establish what at minimum you have to do to not be negligent (making it easier to hold those who don't accountable).
|
# ? Oct 6, 2015 17:55 |
|
Stymie posted:the closest analogous activity to programming that i can think of would be jerking off lol
|
# ? Oct 6, 2015 17:55 |
|
Broken Machine posted:if they actually set up standards that made people clearly liable for stupid things it would help. Here's what you have to do for compliance against cross site scripting, here's what you have to do when you secure a database. It's not going to solve the problem but it would clearly establish what at minimum you have to do to not be negligent (making it easier to hold those who don't accountable). yes, this exactly. this is the whole point of having "professional standards" enforced by a guild or professional association. it's really not a difficult concept
|
# ? Oct 6, 2015 17:57 |
|
Farmer Crack-rear end posted:this is still going to happen post-certification, guaranteed we already have these exact requirements in existing security certifications and they don't work.
|
# ? Oct 6, 2015 17:59 |
|
infernal machines posted:yes, this exactly. this is the whole point of having "professional standards" enforced by a guild or professional association. it's really not a difficult concept but... computers...
|
# ? Oct 6, 2015 17:59 |
|
Broken Machine posted:if they actually set up standards that made people clearly liable for stupid things it would help. Here's what you have to do for compliance against cross site scripting, here's what you have to do when you secure a database. It's not going to solve the problem but it would clearly establish what at minimum you have to do to not be negligent (making it easier to hold those who don't accountable). i mean when you take the test you'd be told at least once that if you gently caress this poo poo up you're liable, which i think would do more than people seem to think. also a bunch of the idiot programmers i've met literally do not know how to do these things, or that you should do these things, or that there exists procedures for doing these things, so they just do it themselves or grab the first half-assed answer off SO that tells them to disable certificate checking or w/e and go with it. this would at the very least create a point where they explicitly have to be exposed to this information, even if it's just cramming for the test or whatever.
|
# ? Oct 6, 2015 18:01 |
|
Shaggar posted:we already have these exact requirements in existing security certifications and they don't work. some do some don't. really certifications are the usb charging standard all over again
|
# ? Oct 6, 2015 18:02 |
|
Parallel Paraplegic posted:i mean when you take the test you'd be told at least once that if you gently caress this poo poo up you're liable, which i think would do more than people seem to think. I think a part of the problem is that there's no one place to look for answers to these questions, and the best answers tend to be trade secrets. I'm sure google has a whole set of processes they adhere to when they develop web apps, and I'm also sure they don't share some of that info openly. It's also often not discussed during most CS classes.
|
# ? Oct 6, 2015 18:05 |
|
Parallel Paraplegic posted:i mean when you take the test you'd be told at least once that if you gently caress this poo poo up you're liable, which i think would do more than people seem to think. the first step to fixing the problem is general legislation that puts liability and penalties squarely on the shoulders of those who get hacked. that's the only way you're going to incentivize them to do something. then you can have people organize guilds that provide secure services if you want. our company is covered under hipaa so we do the best stuff we can but the best of the best is just not storing the data at all if we don't need it. because there are no liability issues for these hacks all these companies that collect peoples data collect whatever they can get. if you reverse that and say "hey if any of this leaks ur on the hook" then they stop collecting stuff they don't need and they secure whats left. you're never in a million years gonna get a company to go "oh, ok, theres no reason for me to pay for the more expensive guild programmer but im gonna do it anyway" the penalties have to start at the corporate level.
|
# ? Oct 6, 2015 18:07 |
|
Broken Machine posted:I think a part of the problem is that there's no one place to look for answers to these questions, and the best answers tend to be trade secrets. I'm sure google has a whole set of processes they adhere to when they develop web apps, and I'm also sure they don't share some of that info openly. It's also often not discussed during most CS classes. nah theres a lot of stuff that's easy to find about how to do things the right way and if you use good tools a lot of it is built right in (because the tool makers also helped define the standards). but you're absolutely right that what comes out of comp sci programs is not anywhere close to production level developers. it takes a few years before they will even begin to grasp actual programming if they ever do at all. cs courses aren't anything close to engineering courses
|
# ? Oct 6, 2015 18:10 |
|
this is also solved for medical devices. not just embedded code, up to and including mobile apps if you have an app that's recommending a treatment, it's going through FDA's standards
|
# ? Oct 6, 2015 18:13 |
|
JawnV6 posted:this is also solved for medical devices. not just embedded code, up to and including mobile apps wasn't there a story recently about automated iv pumps that could be "hacked" over wifi?
|
# ? Oct 6, 2015 18:18 |
|
yeah, they've pulled one product, and FDA sent out alerts about others strikes me as a hyatt regency kinda thing, the designers added a serial port assuming it would only be connected for FW updates, on-site implementers leave it plugged in, the documentation forbids it but the gap is there in actual usage?
|
# ? Oct 6, 2015 18:25 |
|
Parallel Paraplegic posted:i'm not saying we need to make sure everyone uses the same loving indentation scheme and the same design paradigms for everything but programming is not so loving esoteric that there isn't enough commonality between languages to lay down basic ground rules about not loving poo poo up. one of the reasons people react this way is that when a group or company does try to standardize things, that's often exactly how it plays out it's usually not "we will do code reviews in this way, and here's how we'll implement requirements analysis and traceability, and here's how we'll handle root-cause analysis for regressions, and here's how we'll manage schedules" instead it's the CTO saying "we're all going to use this language/tool/platform [because the vendor takes me golfing/it's what I used 10 years ago], Alice & Bob have come up with a great naming scheme & indentation style that we'll enforce at the mandatory Friday afternoon code review, and we're going to do all this other stuff so we look busy but none of it will actually address quality or scheduling in any serious way but you have to do it and also meet the deadlines I arbitrarily set for when things will ship and what features they'll have, and no you can't hire more people because we can't get people to move here for our $45K starting salary until the next H1-B visa lottery"
|
# ? Oct 6, 2015 20:01 |
|
qirex posted:it's entirely possible for someone to read a "programming for dummies" books and become successful with continued work, why prevent that? because it's toxic to the industry, and the output is usually horrible because they don't even know enough to know how bad they are for instance, the reason most small restaurant websites look horrible is because why pay a professional designer or developer for your business's website when your brother's friend's cousin's twelve-year-old nephew is always bragging about how awesome his website is? of course then somebody tells them about this cool thing called "online ordering" and the next thing you know little timmy is trying to hack together an e-commerce platform out of php and javascript for ten bucks an hour there are a lot of different "right ways" to code things, but the prevalence of poo poo like sql injection vulnerabilities and people trying to roll their own homemade encryption are good reminders that there are plenty of absolutely wrong ways that we should be trying to filter out. sure, people might not be willing to follow standards, but somehow doctor and lawyer and architect associations manage to keep misconduct down and its not like those industries aren't creative or full of stubborn assholes qirex posted:idk what other professional associations are like but the uxpa is full of the lamest people doing the most boring work i went to a uxpa conference once. you poor soul. at least in associations for technical fields the slapfights are entertaining, because there's always a chance someone who was in the working group to develop ~thing~ is in the audience listening to the presenter talk about how ~thing~ is horrible and no one should ever use it qirex posted:the only way that could work is if salaried workers could refuse work with unreasonable requirements without getting fired idk that sounds like maybe something a union could help with somehow???
|
# ? Oct 6, 2015 20:13 |
|
Shaggar posted:we already have these exact requirements in existing security certifications and they don't work. part of the reason they don't work is that doing something entirely without a certification may actually result in less liability: someone with a certification would be assumed to know better, and therefore bear a greater liability for doing something wrong for certification to have teeth it needs to result in greater liability to not have it than to have it as long as everything was done right after all, there can still be breaches, but a breach where everything was done according to standards by people who are certified in them should result in far lower liability than a breach where everything is total clown show. like it could be the difference between insurance taking care of things and insurance saying "lol you're on your own"
|
# ? Oct 6, 2015 20:13 |
|
right which is why it should be federally regulated so everyone is liable for the data they store not just companies who have claimed a cert or the companies that audit those companies. it will never happen tho cause god drat is that a lot of work.
|
# ? Oct 6, 2015 20:16 |
|
Main Paineframe posted:somehow doctor and lawyer and architect associations manage to keep misconduct down and its not like those industries aren't creative or full of stubborn assholes the problem with those industries is that they also actively try to keep the supply limited by putting up barriers to entry that have nothing to do with competence or hard work
|
# ? Oct 6, 2015 20:16 |
|
Shaggar posted:right which is why it should be federally regulated so everyone is liable for the data they store not just companies who have claimed a cert or the companies that audit those companies. I expect insurance companies will start demanding it, especially if there are any big payouts in the courts
|
# ? Oct 6, 2015 20:17 |
|
eschaton posted:part of the reason they don't work is that doing something entirely without a certification may actually result in less liability: someone with a certification would be assumed to know better, and therefore bear a greater liability for doing something wrong it might result in less liability for the individual, but it almost certainly results in much much heavier liability for the individual's employer for knowingly having someone who lacks security qualifications design their security-critical thing. whereas if they hire someone who is certified, they can say they had every reason to think the programmer was qualified to do it right and offload all of the liability on them instead. and if no one will hire non-certified programmers for anything important due to the liability risk, then certified programmers and/or the certifying group have some leverage to push back against bad requirements from the employer eschaton posted:the problem with those industries is that they also actively try to keep the supply limited by putting up barriers to entry that have nothing to do with competence or hard work problem? i'd say it's worked out pretty well for them actually!
|
# ? Oct 6, 2015 20:38 |
|
Main Paineframe posted:because it's toxic to the industry, and the output is usually horrible because they don't even know enough to know how bad they are as far as the "right way," why do text boxes not scrub sql out by default? the tools we have available are still laughably primitive and the fact that it's vastly easier to deploy insecure code than secure is an industry toolchain and infrastructure problem that can't be solved with more training the core problem is that there's no good way to value software because it's impossible to objectively judge its quality until it's complete and even then it might work perfectly until it melts down or modifying it might be prohibitively expensive, the requirements of each system are so different eschaton posted:the problem with those industries is that they also actively try to keep the supply limited by putting up barriers to entry that have nothing to do with competence or hard work
|
# ? Oct 6, 2015 20:41 |
|
the tech business isn't impossible to regulate because it's ~*SpEcIaL*~, it's impossible to regulate because it's a dumpster fire of barely-working hacks all the way back to the ENIAC and everyone in the world is dumping more garbage into it faster than its burining
|
# ? Oct 6, 2015 20:48 |
|
|
# ? Jun 7, 2024 18:28 |
|
man, that is some dumb bullshit yes, how could anyone possibly enter a profession that's in any way regulated? how? why would hobbyists need to be regulated at all? johnny knocks up some code at home and posts it to his github, no loving problem. some dipshit wants to use johnny's code in production, well that's on him and if something breaks because of it he gets censured by the guild it's not goddamn rocket science
|
# ? Oct 6, 2015 20:51 |